Shellcode. I’ll Call you back.

Posted on by

Many malicious wrappers and position-independent payloads (especially based on AutoIT, and VB) attempt to use various techniques to execute the main payload evading the curious eyes of security solutions, and malware analysts. One of the most popular ways to execute the code in a more stealthy way relies on using a mechanism known as a ‘call back’. A typical call back is just a function address that is passed to a legitimate, most often a well-documented and innocent API function and then the call back function is executed internally when the API encounters a specific event the call back is set up to intercept.

Some call backs are set up asynchronously and will be called in response to specific events f.ex. windows hooks execute a call back function when a key is pressed on the keyboard, a mouse moved, or a window maximized, and timer callbacks are called after a specific time interval passes. Others are executed synchronously by a given API that relies on the call back mechanism to allow the callback function to intercept some data while enumerating certain properties of the system (f.ex. popular lately EnumDateFormats). The latter are the most commonly call back functions used by the wrappers.

Since this trick is popular and kinda stealthy + makes things a bit harder to analyze… every once in a while a ‘new’ type of malware pops up using a previously unknown, or barely known call back function which – in return – obviously triggers an interest of the malware analysts all over the place.

It crossed my mind that it would be cool to list all possible (or, more precisely: all documented) call back functions giving us at least a theoretical knowledge of what is out there. And this is what this post is about. While the list doesn’t cover everything, it certainly covers a lot – it includes 500+ call back functions documented in MSDN and on Microsoft web site, or elsewhere. Hopefully, a good start to include these in sandboxing solutions and API monitors of any sort.

As usual, if you spot any mistake in the list, please let me know and I’ll fix it. Thanks!

Here’s the list:

  • acmDriverEnumCallback
  • acmDriverProc
  • acmFilterChooseHookProc
  • acmFilterEnumCallback
  • acmFilterTagEnumCallback
  • acmFormatChooseHookProc
  • acmFormatEnumCallback
  • acmFormatTagEnumCallback
  • acmStreamConvertCallback
  • AddInterface
  • AddPropSheetPageProc
  • AddSecureMemoryCacheCallback
  • agePaintHook
  • ageSetupHook
  • AllocateMemory
  • APCProc
  • ApplicationRecoveryCallback
  • ApplyCallbackFunction
  • asswordChangeNotify
  • asswordFilter
  • AuthzAccessCheckCallback
  • AuthzComputeGroupsCallback
  • AuthzFreeGroupsCallback
  • BindIoCompletionCallback
  • BlockConvertServicesToStatic
  • BlockDeleteStaticServices
  • BrowseCallbackProc
  • BufferCallback
  • CallWndProc
  • CallWndRetProc
  • capControlCallback
  • capErrorCallback
  • capStatusCallback
  • capVideoStreamCallback
  • capWaveStreamCallback
  • capYieldCallback
  • CBTProc
  • CCHookProc
  • CertChainFindByIssuerCallback
  • CertDllOpenStoreProv
  • CertEnumPhysicalStoreCallback
  • CertEnumSystemStoreCallback
  • CertEnumSystemStoreLocationCallback
  • CertStoreProvCloseCallback
  • CertStoreProvDeleteCertCallback
  • CertStoreProvDeleteCRLCallback
  • CertStoreProvDeleteCTL
  • CertStoreProvFindCert
  • CertStoreProvFindCRL
  • CertStoreProvFindCTL
  • CertStoreProvFreeFindCert
  • CertStoreProvFreeFindCRL
  • CertStoreProvFreeFindCTL
  • CertStoreProvGetCertProperty
  • CertStoreProvGetCRLProperty
  • CertStoreProvGetCTLProperty
  • CertStoreProvReadCertCallback
  • CertStoreProvReadCRLCallback
  • CertStoreProvReadCTL
  • CertStoreProvSetCertPropertyCallback
  • CertStoreProvSetCRLPropertyCallback
  • CertStoreProvSetCTLProperty
  • CertStoreProvWriteCertCallback
  • CertStoreProvWriteCRLCallback
  • CertStoreProvWriteCTL
  • CFHookProc
  • ClaimMediaLabel
  • CleanupGroupCancelCallback
  • ClientCallback
  • ClientCallback_Function
  • CloseServiceEnumerationHandle
  • CollectPerformanceData
  • CompletionProc
  • ConnectClient
  • ControlCallback
  • CopyProgressRoutine
  • CounterPathCallBack
  • CQPageProc
  • CreateServiceEnumerationHandle
  • CreateStaticService
  • CryptGetSignerCertificateCallback
  • CRYPT_ENUM_KEYID_PROP
  • CRYPT_ENUM_OID_FUNCTION
  • CRYPT_ENUM_OID_INFO
  • CRYPT_RETURN_HWND
  • CRYPT_VERIFY_IMAGE
  • CspGetDHAgreement
  • DavAuthCallback
  • DavFreeCredCallback
  • DavRegisterAuthCallback
  • DavUnregisterAuthCallback
  • DdeCallback
  • DdeEnableCallback
  • DeleteInterface
  • DeleteStaticService
  • DemandDialRequest
  • DhcpAddressDelHook
  • DhcpAddressOfferHook
  • DhcpControlHook
  • DhcpDeleteClientHook
  • DhcpHandleOptionsHook
  • DhcpNewPktHook
  • DhcpPktDropHook
  • DhcpPktSendHook
  • DhcpServerCalloutEntry
  • DialogProc
  • DigestFunction
  • DisassociateCurrentThreadFromCallback
  • DisconnectClient
  • DllCallbackProc
  • DllGetClassObject
  • DoUpdateRoutes
  • DoUpdateServices
  • DPA_DestroyCallback
  • DPA_EnumCallback
  • DrawStateProc
  • DriverCallback
  • DSA_DestroyCallback
  • DSA_EnumCallback
  • DSEnumAttributesCallback
  • EditStreamCallback
  • EditWordBreakProc
  • EditWordBreakProcEx
  • EmbeddedUIHandler
  • EnableCallback
  • EnhMetaFileProc
  • EnumCalendarInfoProc
  • EnumCalendarInfoProcEx
  • EnumCalendarInfoProcExEx
  • EnumChildProc
  • EnumCodePagesProc
  • EnumDateFormatsProc
  • EnumDateFormatsProcEx
  • EnumDateFormatsProcExEx
  • EnumDesktopProc
  • EnumDirTreeProc
  • EnumerateGetNextService
  • EnumerateLoadedModulesProc64
  • EnumFontFamExProc
  • EnumFontFamProc
  • EnumFontsProc
  • EnumGeoInfoProc
  • EnumICMProfilesProcCallback
  • EnumInputContext
  • EnumLanguageGroupLocalesProc
  • EnumLanguageGroupsProc
  • EnumLocalesProc
  • EnumLocalesProcEx
  • EnumMetaFileProc
  • EnumObjectsProc
  • EnumPageFilesProc
  • EnumRegisterWordProc
  • EnumResLangProc
  • EnumResNameProc
  • EnumResTypeProc
  • EnumThreadWndProc
  • EnumTimeFormatsProc
  • EnumTimeFormatsProcEx
  • EnumUILanguagesProc
  • EnumWindowsProc
  • EnumWindowStationProc
  • EventCallback
  • EventClassCallback
  • EventRecordCallback
  • Event_Handler_Function_Name
  • EVT_SUBSCRIBE_CALLBACK
  • ExportCallback
  • FaxLineCallback
  • FaxRouteAddFile
  • FaxRouteDeleteFile
  • FaxRouteEnumFile
  • FaxRouteEnumFiles
  • FaxRouteGetFile
  • FaxRouteModifyRoutingData
  • FaxRoutingInstallationCallback
  • FaxSendCallback
  • FAX_RECIPIENT_CALLBACK
  • FExecuteInAppDomainCallback
  • FiberProc
  • FileIOCompletionRoutine
  • FILE_RESTORE_CALLBACK
  • FindDebugInfoFileProc
  • FindExecutableImageProc
  • FLockClrVersionCallback
  • FlsCallback
  • FNCCERTDISPLAYPROC
  • FNCFILTERPROC
  • FNCMFILTERPROC
  • FNCMHOOKPROC
  • FNDAENUMCALLBACK
  • FNDPAENUMCALLBACK
  • FNDSAENUMCALLBACK
  • FNPEER_FREE_SECURITY_DATA
  • FNPEER_SECURE_RECORD
  • FNPEER_VALIDATE_RECORD
  • FN_AUTHENTICATION_CALLBACK
  • FN_AUTHENTICATION_CALLBACK_EX
  • FN_BLUETOOTH_ENUM_ATTRIBUTES_CALLBACK
  • FN_CDF_PARSE_ERROR_CALLBACK
  • FN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK
  • FN_CERT_DLL_OPEN_STORE_PROV_FUNC
  • FN_CERT_ENUM_PHYSICAL_STORE
  • FN_CERT_ENUM_SYSTEM_STORE
  • FN_CERT_STORE_PROV_CLOSE
  • FN_CERT_STORE_PROV_DELETE_CERT
  • FN_CERT_STORE_PROV_DELETE_CRL
  • FN_CERT_STORE_PROV_READ_CERT
  • FN_CERT_STORE_PROV_READ_CRL
  • FN_CERT_STORE_PROV_SET_CERT_PROPERTY
  • FN_CERT_STORE_PROV_SET_CRL_PROPERTY
  • FN_CERT_STORE_PROV_SET_CTL_PROPERTY
  • FN_CERT_STORE_PROV_WRITE_CERT
  • FN_CERT_STORE_PROV_WRITE_CRL
  • FN_CERT_STORE_PROV_WRITE_CTL
  • FN_CRYPT_XML_CREATE_TRANSFORM
  • FN_CRYPT_XML_DATA_PROVIDER_CLOSE
  • FN_CRYPT_XML_DATA_PROVIDER_READ
  • FN_CRYPT_XML_ENUM_ALG_INFO
  • FN_CRYPT_XML_WRITE_CALLBACK
  • FN_DEVICE_CALLBACK
  • FN_WdsCliCallback
  • FN_WdsCliTraceFunction
  • FN_WdsTransportClientReceiveContents
  • FN_WdsTransportClientReceiveMetadata
  • FN_WdsTransportClientSessionComplete
  • FN_WdsTransportClientSessionStart
  • FN_WdsTransportClientSessionStartEx
  • ForegroundIdleProc
  • FreeMemory
  • FRHookProc
  • FuncReturnhWnd
  • FunctionTableAccessProc64
  • FuncVerifyImage
  • GenerateGroupPolicy
  • GetApplicationRecoveryCallback
  • GetEventMessage
  • GetFirstOrderedService
  • GetGlobalInfo
  • GetInterfaceInfo
  • GetMfeStatus
  • GetModuleBaseProc64
  • GetMsgProc
  • GetNeighbors
  • GetNextOrderedService
  • GetRequest
  • GetResponse
  • GetServiceCount
  • GetSize
  • GetTSAudioEndpointEnumeratorForSession
  • gluNurbsCallback
  • gluQuadricCallback
  • gluTessCallback
  • GopherAttributeEnumerator
  • HandlerEx
  • HandlerRoutine
  • honeCallbackFunc
  • hone_Event
  • HyphenateProc
  • ICMProgressProcCallback
  • ImportCallback
  • InitHelperDll
  • InitializeChangeNotify
  • InitializeEmbeddedUI
  • InitOnceCallback
  • InsertAt
  • InstalluiHandler
  • InstalluiHandlerRecord
  • INSTALLUI_HANDLER
  • InterfaceStatus
  • InternetSetStatusCallback
  • InternetStatusCallback
  • INTERNET_STATUS_CALLBACK
  • IoCompletionCallback
  • IOProc
  • IsService
  • JournalPlaybackProc
  • JournalRecordProc
  • KeyboardProc
  • lineCallbackFunc
  • LineDDAProc
  • Line_Event
  • LOG_FULL_HANDLER_CALLBACK
  • LOG_TAIL_ADVANCE_CALLBACK
  • LOG_UNPINNED_CALLBACK
  • LowLevelKeyboardProc
  • LowLevelMouseProc
  • LPCQADDFORMSPROC
  • LPCQADDPAGESPROC
  • LPCQPAGEPROC
  • LPDISPLAYVAL
  • LPDSENUMATTRIBUTES
  • LPEVALCOMCALLBACK
  • LPFNDFMCALLBACK
  • LPFNVIEWCALLBACK
  • MagGetImageScalingCallback
  • MagImageScalingCallback
  • MagSetImageScalingCallback
  • MappingCallbackProc
  • MaxMediaLabel
  • MessageProc
  • MFAddPeriodicCallback
  • MFInvokeCallback
  • MFPERIODICCALLBACK
  • MFRemovePeriodicCallback
  • MgmCreationAlertCallback
  • MgmDisableIgmpCallback
  • MgmJoinAlertCallback
  • MgmLocalJoinCallback
  • MgmLocalLeaveCallback
  • MgmPruneAlertCallback
  • MgmRpfCallback
  • MgmWrongIfCallback
  • MGM_ENABLE_IGMP_CALLBACK
  • MibCreate
  • MibDelete
  • MIBEntryCreate
  • MIBEntryDelete
  • MIBEntryGet
  • MIBEntryGetFirst
  • MIBEntryGetNext
  • MIBEntrySet
  • MibGet
  • MibGetFirst
  • MibGetNext
  • MibGetTrapInfo
  • MibSet
  • MibSetTrapInfo
  • MidiInProc
  • MidiOutProc
  • MiniDumpCallback
  • MMCFreeNotifyHandle
  • MMCPropertyChangeNotify
  • MMCPropertyHelp
  • MMCPropPageCallback
  • MMIOProc
  • MonitorEnumProc
  • MouseProc
  • MRUCMPPROC
  • MyStatusProc
  • OFNHookProc
  • OFNHookProcOldStyle
  • OpenPerformanceData
  • ORASADFunc
  • OutOfProcessExceptionEventCallback
  • OutOfProcessExceptionEventDebuggerLaunchCallback
  • OutOfProcessExceptionEventSignatureCallback
  • OutputProc
  • PIO_APC_ROUTINE
  • QueryPower
  • RadiusExtensionFreeAttributes
  • RadiusExtensionInit
  • RadiusExtensionProcess
  • RadiusExtensionProcess2
  • RadiusExtensionProcessEx
  • RadiusExtensionTerm
  • RASADFunc
  • RasAdminAcceptNewConnection
  • RasAdminConnectionHangupNotification
  • RasAdminGetIpAddressForUser
  • RasAdminReleaseIpAddress
  • RasCustomDeleteEntryNotify
  • RasCustomDial
  • RasCustomDialDlg
  • RasCustomEntryDlg
  • RasCustomHangUp
  • RasCustomScriptExecute
  • RasDialFunc
  • RasDialFunc1
  • RasDialFunc2
  • RasEapBegin
  • RasEapEnd
  • RasEapFreeMemory
  • RasEapGetIdentity
  • RasEapGetInfo
  • RasEapInitialize
  • RasEapInvokeConfigUI
  • RasEapInvokeInteractiveUI
  • RasEapMakeMessage
  • RasFreeBuffer
  • RasGetBuffer
  • RasPBDlgFunc
  • RasReceiveBuffer
  • RasRetrieveBuffer
  • RasSecurityDialogBegin
  • RasSecurityDialogEnd
  • RasSendBuffer
  • RasSetCommSettings
  • ReaderScroll
  • ReadProcessMemoryProc64
  • RegisterApplicationRecoveryCallback
  • RegisterCallback
  • RegisterProtocol
  • RegisterWaitChainCOMCallback
  • RemoveAt
  • RemoveSecureMemoryCacheCallback
  • RemoveTraceCallback
  • rintHookProc
  • RM_WRITE_STATUS_CALLBACK
  • rocessGroupPolicy
  • rocessGroupPolicyEx
  • rogressNotificationCallback
  • ropEnumProc
  • ropEnumProcEx
  • ropSheetPageProc
  • ropSheetProc
  • RpcAuthKeyRetrievalFn
  • RpcMgmtAuthorizationFn
  • RpcnotificationRoutine
  • RpcObjectInqFn
  • RPC_IF_CALLBACK_FN
  • RtlInstallFunctionTableCallback
  • RTM_ENTITY_EXPORT_METHOD
  • RTM_EVENT_CALLBACK
  • SampleCommand
  • SampleCommit
  • SampleConnect
  • SampleDump
  • SampleOsVersionCheck
  • SampleStartHelper
  • SampleStop
  • SampleStopHelper
  • SceSvcAttachmentAnalyze
  • SceSvcAttachmentConfig
  • SceSvcAttachmentUpdate
  • SecureMemoryCacheCallback
  • SendAsyncProc
  • SendMessageCallback
  • ServiceMain
  • SetAt
  • SetGlobalInfo
  • SetInterfaceInfo
  • SetInterfaceReceiveType
  • SetLineRecoCallback
  • SetPower
  • SetProviderStatusFunc
  • SetProviderStatusInfoFreeFunc
  • SetResponseType
  • SetTraceCallback
  • SetupDefaultQueueCallback
  • SetupHookProc
  • SetupInitDefaultQueueCallback
  • SetupTermDefaultQueueCallback
  • ShellProc
  • ShutdownEmbeddedUI
  • SimpleCallback
  • SNMPAPI_CALLBACK
  • SnmpExtensionClose
  • SnmpExtensionInit
  • SnmpExtensionInitEx
  • SnmpExtensionMonitor
  • SnmpExtensionQuery
  • SnmpExtensionQueryEx
  • SnmpExtensionTrap
  • SoundSentryProc
  • SP_FILE_CALLBACK
  • StackSnapshotCallback
  • StartComplete
  • StartProtocol
  • StatusCallback
  • StatusMessageCallback
  • StatusRoutine
  • StopProtocol
  • SymEnumerateModulesProc64
  • SymEnumerateSymbolsProc64
  • SymEnumLinesProc
  • SymEnumProcessesProc
  • SymEnumSourceFilesProc
  • SymEnumSourceFileTokensProc
  • SymEnumSymbolsProc
  • SymFindFileInPathProc
  • SymRegisterCallback
  • SymRegisterCallbackProc64
  • SymRegisterFunctionEntryCallback
  • SymRegisterFunctionEntryCallbackProc64
  • SyncUpdateProc
  • SysMsgProc
  • TaskDialogCallbackProc
  • ThreadProc
  • TimeProc
  • TimeProvClose
  • TimeProvCommand
  • TimeProvOpen
  • TimerAPCProc
  • TimerCallback
  • TimerProc
  • TranslateAddressProc64
  • TranslateDispatch
  • TrySubmitThreadpoolCallback
  • UiaEventCallback
  • UiaProviderCallback
  • UiaRegisterProviderCallback
  • UmsSchedulerProc
  • UnbindInterface
  • UndeleteFile
  • UnregisterApplicationRecoveryCallback
  • ValidateRoute
  • VectoredHandler
  • VERIFYSERVERCERT
  • WaitCallback
  • WaitChainCallback
  • WaitOrTimerCallback
  • waveInProc
  • waveOutProc
  • WdsTransportClientRegisterCallback
  • WdsTransportProviderCloseContent
  • WdsTransportProviderCloseInstance
  • WdsTransportProviderCompareContent
  • WdsTransportProviderCreateInstance
  • WdsTransportProviderDumpState
  • WdsTransportProviderGetContentMetadata
  • WdsTransportProviderGetContentSize
  • WdsTransportProviderInitialize
  • WdsTransportProviderOpenContent
  • WdsTransportProviderReadContent
  • WdsTransportProviderRefreshSettings
  • WdsTransportProviderShutdown
  • WdsTransportProviderUserAccessCheck
  • WdsTransportServerRegisterCallback
  • WinBioCaptureSampleWithCallback
  • WinBioEnrollCaptureWithCallback
  • WinBioIdentifyWithCallback
  • WinBioLocateSensorWithCallback
  • WinBioVerifyWithCallback
  • WindowProc
  • WinEventProc
  • WinHttpSetStatusCallback
  • WINHTTP_STATUS_CALLBACK
  • WLAN_NOTIFICATION_CALLBACK
  • WorkCallback
  • WPUQueryBlockingCallback
  • xeProviderInitialize
  • xeProviderRecvRequest
  • xeProviderServiceControl
  • xeProviderShutdown
  • xeRegisterCallback